nekohasekai
commented
3 weeks ago ip -4 rule add not fwmark 51820 table 51820 hijacks all connections, change your config to remove that rule.
Closed davidstrt closed 3 weeks ago
nekohasekai
commented
3 weeks ago ip -4 rule add not fwmark 51820 table 51820 hijacks all connections, change your config to remove that rule.
davidstrt
commented
3 weeks ago Great, Works like a charm :)
Operating system
Linux
System version
Ubuntu 20.04, Kernel: 5.15.0-107-generic
Installation type
Original sing-box Command Line
If you are using a graphical client, please provide the version of the client.
No response
Version
Description
I'm currently trying to route traffic from Sing-Box server to a WireGuard interface (
wg0), on the same machine ( VPS 1 ). I've noticed that when thewg0interface is down, I can useoutboundswith"type": "wireguard"without any issues ( usingsing_out_wg.jsonconfig ). However, as soon as I enable thewg0interface usingwg-quick up wg0and usingsing_out_direct.jsonconfig, my Sing-Box clients stop working.I've tried setting
"bind_interface": "wg0"on thedirectoutbound, but this doesn't seem to establish a connection either.I'm wondering if there's any additional routing configuration needed in addition to the
"bind_interface"config? Or is this configuration even relevant in this context?Any guidance or suggestions would be greatly appreciated.
P.S: If you're curious why I need the reroute config, it's because the WireGuard server alters its credentials as soon as the interface goes offline, which necessitates directing traffic to the WireGuard interface.
Reproduction
VPS 1 ( Sing-box Server / Wireguard Client ):
```conf [Interface] ListenPort = 33986 FwMark = 0xca6c PrivateKey = eIRLTVt73RComsJEL9jwhMWrz7zjnIi97XS7gRGCuG8= [Peer] PublicKey = YUTsPMYJfrqXjIFmYXOeKWV/WRajm/uDC5e+1XM2c2M= AllowedIPs = 0.0.0.0/0 Endpoint =wg showconf wg0
``` [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.10.10.2/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a tun.wg0 -m 0 -x [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n ```wg-quick up wg0
```json { "inbounds": [ { "type": "vmess", "tag": "vmess-in", "listen": "::", "listen_port": 11144, "tcp_fast_open": true, "users": [ { "name": "vmessuser", "uuid": "d753ade4-0efe-4d86-bb5b-41f86aeb1e48", "alterId": 0 } ], "tls": { "enabled": true, "server_name": "www.python.org", "reality": { "enabled": true, "handshake": { "server": "www.python.org", "server_port": 443 }, "private_key": "cAl8_5zyUM4Ia4FcgV7WnqLGvhUgKEk_nQKTLnpevWY", "short_id": [ "494b44192830c2c6" ] } }, "multiplex": { "enabled": true, "padding": true, "brutal": { "enabled": true, "up_mbps": 3072, "down_mbps": 3072 } } } ], "outbounds": [ { "type": "direct", "tag": "direct", "bind_interface": "wg0" } ] } ```cat sing_out_direct.json
```bash INFO[0000] router: updated default interface eth0, index 2 INFO[0000] inbound/vmess[vmess-in]: tcp server started at [::]:11144 INFO[0000] sing-box started (0.00s) ```sing-box run -c sing_out_direct.jsonClient: 🚫🚫🚫 The clients are unable to establish a connection.
``` [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] resolvconf -d tun.wg0 -f [#] iptables-restore -n ```wg-quick down wg0
```json { "inbounds": [ { "type": "vmess", "tag": "vmess-in", "listen": "::", "listen_port": 11144, "tcp_fast_open": true, "users": [ { "name": "vmessuser", "uuid": "d753ade4-0efe-4d86-bb5b-41f86aeb1e48", "alterId": 0 } ], "tls": { "enabled": true, "server_name": "www.python.org", "reality": { "enabled": true, "handshake": { "server": "www.python.org", "server_port": 443 }, "private_key": "cAl8_5zyUM4Ia4FcgV7WnqLGvhUgKEk_nQKTLnpevWY", "short_id": [ "494b44192830c2c6" ] } }, "multiplex": { "enabled": true, "padding": true, "brutal": { "enabled": true, "up_mbps": 3072, "down_mbps": 3072 } } } ], "outbounds": [ { "type": "wireguard", "tag": "wg-out", "server": "cat sing_out_wg.json
```bash INFO[0000] router: updated default interface eth0, index 2 DEBUG[0000] outbound/wireguard[wg-out]: uapi: updating private key DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - uapi: created DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - uapi: updating endpoint DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - uapi: adding allowedip INFO[0000] inbound/vmess[vmess-in]: tcp server started at [::]:11144 INFO[0000] sing-box started (0.22s) DEBUG[0000] outbound/wireguard[wg-out]: routine: encryption worker 1 - started DEBUG[0000] outbound/wireguard[wg-out]: routine: decryption worker 1 - started DEBUG[0000] outbound/wireguard[wg-out]: routine: handshake worker 1 - started DEBUG[0000] outbound/wireguard[wg-out]: routine: tun reader - started DEBUG[0000] outbound/wireguard[wg-out]: routine: event worker - started DEBUG[0000] outbound/wireguard[wg-out]: interface up requested DEBUG[0000] outbound/wireguard[wg-out]: udp bind has been updated DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - starting DEBUG[0000] outbound/wireguard[wg-out]: interface state was Down, requested Up, now Up DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - routine: sequential receiver - started DEBUG[0000] outbound/wireguard[wg-out]: routine: receive incoming receive - started DEBUG[0000] outbound/wireguard[wg-out]: peer(YUTs…2c2M) - routine: sequential sender - started ```sing-box run -c sing_out_wg.jsonClient: ✅✅✅ Connection can be established by the clients.
Logs
No response
Supporter
Integrity requirements